diff --git a/app/api/auth.py b/app/api/auth.py
index cdd1bd5d..0a0e70d1 100644
--- a/app/api/auth.py
+++ b/app/api/auth.py
@@ -4,7 +4,7 @@
 import os
 import time
 import uuid
-from datetime import datetime
+from datetime import datetime, timedelta, UTC
 import email_validator
 
 from typing import Optional, List, Union
@@ -36,7 +36,7 @@
 from app.core.worker import generate_pricing_url
 
 from app.db.database import get_db
-from app.db.models import DBUser, DBAPIToken, DBRegion, DBTeam
+from app.db.models import DBUser, DBAPIToken, DBRegion, DBTeam, DBAPITokenExpiryOption
 
 from app.services.litellm import LiteLLMService
 from app.services.dynamodb import DynamoDBService
@@ -50,6 +50,7 @@
     APIToken,
     APITokenCreate,
     APITokenResponse,
+    APITokenExpiryOption,
     UserUpdate,
     EmailValidation,
     LoginData,
@@ -519,6 +520,20 @@ def generate_api_token() -> str:
     return secrets.token_urlsafe(32)
 
 
+@router.get("/token/expiry-options", response_model=List[APITokenExpiryOption])
+async def list_expiry_options(
+    current_user=Depends(get_current_user_from_auth),
+    db: Session = Depends(get_db),
+):
+    """List available API token expiry options"""
+    return (
+        db.query(DBAPITokenExpiryOption)
+        .filter(DBAPITokenExpiryOption.is_active)
+        .order_by(DBAPITokenExpiryOption.id)
+        .all()
+    )
+
+
 @router.post("/token", response_model=APIToken)
 async def create_token(
     token_create: APITokenCreate,
@@ -552,8 +567,34 @@ async def create_token(
         # Create token for the current user
         user_id = current_user.id
 
+    # Fetch expiry option from DB (only active options are valid)
+    expiry_slug = token_create.expiry or "forever"
+    db_expiry_opt = (
+        db.query(DBAPITokenExpiryOption)
+        .filter(
+            DBAPITokenExpiryOption.slug == expiry_slug,
+            DBAPITokenExpiryOption.is_active,
+        )
+        .first()
+    )
+
+    if not db_expiry_opt:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Invalid or inactive expiry option: {expiry_slug}",
+        )
+
+    # Calculate expiration date
+    expires_at = None
+    if db_expiry_opt.days is not None:
+        expires_at = datetime.now(UTC) + timedelta(days=db_expiry_opt.days)
+
     db_token = DBAPIToken(
-        name=token_create.name, token=generate_api_token(), user_id=user_id
+        name=token_create.name,
+        token=generate_api_token(),
+        user_id=user_id,
+        expires_at=expires_at,
+        expiry_option=db_expiry_opt.slug,
     )
     db.add(db_token)
     db.commit()
diff --git a/app/api/public.py b/app/api/public.py
index 00c35666..4915b8de 100644
--- a/app/api/public.py
+++ b/app/api/public.py
@@ -119,7 +119,9 @@ def _to_display_name(model_id: str, aliases: list[str] | None = None) -> str:
     # Replace hyphenated number sequences with dotted versions before splitting.
     # Use word-boundary anchors so that e.g. "3-5" does not corrupt "123-5".
     modified_id = model_id
-    for hyphenated, dotted in sorted(dot_replacements.items(), key=lambda x: -len(x[0])):
+    for hyphenated, dotted in sorted(
+        dot_replacements.items(), key=lambda x: -len(x[0])
+    ):
         modified_id = re.sub(
             r"(?<![0-9])" + re.escape(hyphenated) + r"(?![0-9])",
             dotted,
diff --git a/app/api/subscription.py b/app/api/subscription.py
index 0fdece09..e6682b75 100644
--- a/app/api/subscription.py
+++ b/app/api/subscription.py
@@ -1,11 +1,10 @@
 import logging
 from datetime import UTC, datetime, timedelta
 
-from fastapi import APIRouter, Depends, HTTPException, status
-from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 
-from app.core.config import settings
+from app.core.security import get_role_min_system_admin
 from app.core.team_service import get_team_region_litellm_keys
 from app.core.worker import (
     _record_periodic_payment_direct,
@@ -32,17 +31,6 @@
 
 router = APIRouter()
 logger = logging.getLogger(__name__)
-security = HTTPBearer()
-
-
-def _verify_moad_api_key(
-    credentials: HTTPAuthorizationCredentials = Depends(security),
-):
-    if credentials.credentials != settings.MOAD_API_KEY:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key"
-        )
-    return credentials.credentials
 
 
 def _write_audit_log(
@@ -73,11 +61,14 @@ def _write_audit_log(
             logger.warning("Failed to rollback audit log transaction: %s", rollback_exc)
 
 
-@router.post("/cycle", response_model=SubscriptionCycleResponse)
+@router.post(
+    "/cycle",
+    response_model=SubscriptionCycleResponse,
+    dependencies=[Depends(get_role_min_system_admin)],
+)
 async def subscription_cycle(
     request: SubscriptionCycleRequest,
     db: Session = Depends(get_db),
-    _: str = Depends(_verify_moad_api_key),
 ):
     logger.info("subscription.cycle called: %s", request.model_dump())
 
@@ -232,11 +223,14 @@ async def subscription_cycle(
         raise HTTPException(status_code=500, detail=f"Subscription cycle failed: {exc}")
 
 
-@router.post("/deactivate", response_model=SubscriptionDeactivateResponse)
+@router.post(
+    "/deactivate",
+    response_model=SubscriptionDeactivateResponse,
+    dependencies=[Depends(get_role_min_system_admin)],
+)
 async def subscription_deactivate(
     request: SubscriptionDeactivateRequest,
     db: Session = Depends(get_db),
-    _: str = Depends(_verify_moad_api_key),
 ):
     logger.info("subscription.deactivate called: %s", request.model_dump())
 
diff --git a/app/core/security.py b/app/core/security.py
index 5158fbea..7c54e4c5 100644
--- a/app/core/security.py
+++ b/app/core/security.py
@@ -142,6 +142,14 @@ async def get_current_user_from_auth(
             .first()
         )
         if db_token:
+            # Check if token is expired
+            if db_token.expires_at and db_token.expires_at < datetime.now(UTC):
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="API token has expired",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+
             # Update last used timestamp
             db_token.last_used_at = datetime.now(UTC)
             _check_user_team_not_suspended(db_token.owner)
@@ -150,7 +158,9 @@ async def get_current_user_from_auth(
     except HTTPException:
         raise
     except Exception:
-        pass
+        logger.exception(
+            "Unexpected error during API token validation; falling back to JWT validation"
+        )
 
     # If API token validation fails, try JWT validation
     try:
diff --git a/app/db/init_db.py b/app/db/init_db.py
index 8936f53b..9e3387ea 100644
--- a/app/db/init_db.py
+++ b/app/db/init_db.py
@@ -1,11 +1,63 @@
-from app.db.models import Base
-from app.db.database import engine
+import logging
+
+from app.db.models import Base, DBAPITokenExpiryOption
+from app.db.database import engine, SessionLocal
+
+logger = logging.getLogger(__name__)
+
+
+def init_api_token_expiry_options(db=None):
+    logger.info("Initializing API token expiry options...")
+    own_db = False
+    if db is None:
+        db = SessionLocal()
+        own_db = True
+
+    try:
+        options = [
+            {"name": "1 day", "slug": "1_day", "days": 1},
+            {"name": "1 week", "slug": "1_week", "days": 7},
+            {"name": "1 month", "slug": "1_month", "days": 30},
+            {"name": "2 months", "slug": "2_months", "days": 60},
+            {"name": "3 months", "slug": "3_months", "days": 90},
+            {"name": "4 months", "slug": "4_months", "days": 120},
+            {"name": "5 months", "slug": "5_months", "days": 150},
+            {"name": "6 months", "slug": "6_months", "days": 180},
+            {"name": "7 months", "slug": "7_months", "days": 210},
+            {"name": "8 months", "slug": "8_months", "days": 240},
+            {"name": "9 months", "slug": "9_months", "days": 270},
+            {"name": "10 months", "slug": "10_months", "days": 300},
+            {"name": "11 months", "slug": "11_months", "days": 330},
+            {"name": "1 year", "slug": "1_year", "days": 365},
+            {"name": "forever", "slug": "forever", "days": None},
+        ]
+
+        for opt_data in options:
+            existing = (
+                db.query(DBAPITokenExpiryOption)
+                .filter(DBAPITokenExpiryOption.slug == opt_data["slug"])
+                .first()
+            )
+            if not existing:
+                db_opt = DBAPITokenExpiryOption(**opt_data)
+                db.add(db_opt)
+
+        db.commit()
+        logger.info("API token expiry options initialized successfully!")
+    except Exception:
+        logger.exception("Error initializing API token expiry options")
+        db.rollback()
+        raise
+    finally:
+        if own_db:
+            db.close()
 
 
 def init_db():
-    print("Creating database tables...")
+    logger.info("Creating database tables...")
     Base.metadata.create_all(bind=engine)
-    print("Database tables created successfully!")
+    logger.info("Database tables created successfully!")
+    init_api_token_expiry_options()
 
 
 if __name__ == "__main__":
diff --git a/app/db/models.py b/app/db/models.py
index 2d3798b7..cbd53312 100644
--- a/app/db/models.py
+++ b/app/db/models.py
@@ -124,6 +124,16 @@ class DBRegion(Base):
     admin_users = relationship("DBUserAdminRegion", back_populates="region")
 
 
+class DBAPITokenExpiryOption(Base):
+    __tablename__ = "api_token_expiry_options"
+
+    id = Column(Integer, primary_key=True, index=True)
+    name = Column(String, nullable=False)
+    slug = Column(String, unique=True, index=True, nullable=False)
+    days = Column(Integer, nullable=True)  # None for forever
+    is_active = Column(Boolean, nullable=False, default=True)
+
+
 class DBAPIToken(Base):
     __tablename__ = "api_tokens"
 
@@ -132,6 +142,8 @@ class DBAPIToken(Base):
     token = Column(String, unique=True, index=True)
     created_at = Column(DateTime(timezone=True), default=func.now())
     last_used_at = Column(DateTime(timezone=True), nullable=True)
+    expires_at = Column(DateTime(timezone=True), nullable=True)
+    expiry_option = Column(String, default="forever", nullable=False)
     user_id = Column(Integer, ForeignKey("users.id"))
 
     owner = relationship("DBUser", back_populates="api_tokens")
diff --git a/app/migrations/versions/20260408_125946_daf5bf0b03c2_add_api_token_expiry_options.py b/app/migrations/versions/20260408_125946_daf5bf0b03c2_add_api_token_expiry_options.py
new file mode 100644
index 00000000..7e1e6620
--- /dev/null
+++ b/app/migrations/versions/20260408_125946_daf5bf0b03c2_add_api_token_expiry_options.py
@@ -0,0 +1,110 @@
+"""add_api_token_expiry_options
+
+Revision ID: daf5bf0b03c2
+Revises: a1b2c3d4e5f6
+Create Date: 2026-04-08 12:59:46.600703+00:00
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = "daf5bf0b03c2"
+down_revision: Union[str, None] = "a1b2c3d4e5f6"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Create api_token_expiry_options table
+    op.create_table(
+        "api_token_expiry_options",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(), nullable=False),
+        sa.Column("slug", sa.String(), nullable=False),
+        sa.Column("days", sa.Integer(), nullable=True),
+        sa.Column("is_active", sa.Boolean(), nullable=False, server_default=sa.true()),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(
+        op.f("ix_api_token_expiry_options_id"),
+        "api_token_expiry_options",
+        ["id"],
+        unique=False,
+    )
+    op.create_index(
+        op.f("ix_api_token_expiry_options_slug"),
+        "api_token_expiry_options",
+        ["slug"],
+        unique=True,
+    )
+
+    # Seed default expiry options so the API is usable immediately after migration
+    expiry_options_table = sa.table(
+        "api_token_expiry_options",
+        sa.column("name", sa.String()),
+        sa.column("slug", sa.String()),
+        sa.column("days", sa.Integer()),
+        sa.column("is_active", sa.Boolean()),
+    )
+    op.bulk_insert(
+        expiry_options_table,
+        [
+            {"name": "1 day", "slug": "1_day", "days": 1, "is_active": True},
+            {"name": "1 week", "slug": "1_week", "days": 7, "is_active": True},
+            {"name": "1 month", "slug": "1_month", "days": 30, "is_active": True},
+            {"name": "2 months", "slug": "2_months", "days": 60, "is_active": True},
+            {"name": "3 months", "slug": "3_months", "days": 90, "is_active": True},
+            {"name": "4 months", "slug": "4_months", "days": 120, "is_active": True},
+            {"name": "5 months", "slug": "5_months", "days": 150, "is_active": True},
+            {"name": "6 months", "slug": "6_months", "days": 180, "is_active": True},
+            {"name": "7 months", "slug": "7_months", "days": 210, "is_active": True},
+            {"name": "8 months", "slug": "8_months", "days": 240, "is_active": True},
+            {"name": "9 months", "slug": "9_months", "days": 270, "is_active": True},
+            {"name": "10 months", "slug": "10_months", "days": 300, "is_active": True},
+            {"name": "11 months", "slug": "11_months", "days": 330, "is_active": True},
+            {"name": "1 year", "slug": "1_year", "days": 365, "is_active": True},
+            {"name": "forever", "slug": "forever", "days": None, "is_active": True},
+        ],
+    )
+
+    # Update api_tokens table - these might already exist in some environments but let's ensure they are there
+    # Check if columns exist first to be safe
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    columns = [c["name"] for c in inspector.get_columns("api_tokens")]
+
+    if "expires_at" not in columns:
+        op.add_column(
+            "api_tokens",
+            sa.Column("expires_at", sa.DateTime(timezone=True), nullable=True),
+        )
+    if "expiry_option" not in columns:
+        op.add_column(
+            "api_tokens",
+            sa.Column(
+                "expiry_option", sa.String(), nullable=False, server_default="forever"
+            ),
+        )
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    columns = [c["name"] for c in inspector.get_columns("api_tokens")]
+
+    if "expiry_option" in columns:
+        op.drop_column("api_tokens", "expiry_option")
+    if "expires_at" in columns:
+        op.drop_column("api_tokens", "expires_at")
+    op.drop_index(
+        op.f("ix_api_token_expiry_options_slug"), table_name="api_token_expiry_options"
+    )
+    op.drop_index(
+        op.f("ix_api_token_expiry_options_id"), table_name="api_token_expiry_options"
+    )
+    op.drop_table("api_token_expiry_options")
diff --git a/app/schemas/models.py b/app/schemas/models.py
index e266b5ae..0e5456b6 100644
--- a/app/schemas/models.py
+++ b/app/schemas/models.py
@@ -68,12 +68,22 @@ class User(UserBase):
     audit_logs: ClassVar = relationship("AuditLog", back_populates="user")
 
 
+class APITokenExpiryOption(BaseModel):
+    id: int
+    name: str
+    slug: str
+    days: Optional[int] = None
+    is_active: bool
+    model_config = ConfigDict(from_attributes=True)
+
+
 class APITokenBase(BaseModel):
     name: str
 
 
 class APITokenCreate(APITokenBase):
     user_id: Optional[int] = None
+    expiry: Optional[str] = "forever"
 
 
 class APIToken(APITokenBase):
@@ -81,6 +91,8 @@ class APIToken(APITokenBase):
     token: str
     created_at: datetime
     last_used_at: Optional[datetime] = None
+    expires_at: Optional[datetime] = None
+    expiry_option: str
     user_id: int
     model_config = ConfigDict(from_attributes=True)
 
@@ -89,6 +101,8 @@ class APITokenResponse(APITokenBase):
     id: int
     created_at: datetime
     last_used_at: Optional[datetime] = None
+    expires_at: Optional[datetime] = None
+    expiry_option: str
     user_id: int
     model_config = ConfigDict(from_attributes=True)
 
diff --git a/frontend/src/app/auth/token/page.tsx b/frontend/src/app/auth/token/page.tsx
index d8799564..2e5f38e0 100644
--- a/frontend/src/app/auth/token/page.tsx
+++ b/frontend/src/app/auth/token/page.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import { Loader2, X } from "lucide-react";
-import { useState, useEffect, useCallback } from "react";
+import { useState } from "react";
 import { Alert, AlertDescription } from "@/components/ui/alert";
 import { Button } from "@/components/ui/button";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
@@ -11,41 +11,66 @@ import { useToast } from "@/hooks/use-toast";
 import { get, post, del } from "@/utils/api";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select";
+
 interface APIToken {
   id: string;
   name: string;
   token: string;
   created_at: string;
   last_used_at?: string;
+  expires_at?: string;
+  expiry_option: string;
+}
+
+interface ExpiryOption {
+  id: number;
+  name: string;
+  slug: string;
+  days: number | null;
 }
 
 export default function APITokensPage() {
   const { toast } = useToast();
   const queryClient = useQueryClient();
   const [newTokenName, setNewTokenName] = useState("");
+  const [selectedExpiry, setSelectedExpiry] = useState("forever");
   const [showNewToken, setShowNewToken] = useState<APIToken | null>(null);
-  const [tokens, setTokens] = useState<APIToken[]>([]);
 
-  const { isLoading: queryLoading } = useQuery({
+  const { data: expiryOptions } = useQuery({
+    queryKey: ["expiry-options"],
+    queryFn: async () => {
+      const response = await get("/auth/token/expiry-options");
+      return response.json() as Promise<ExpiryOption[]>;
+    },
+  });
+
+  const { isLoading: tokensLoading, data: tokens = [] } = useQuery({
     queryKey: ["tokens"],
     queryFn: async () => {
       const response = await get("/auth/token");
       const data = await response.json();
-      return data;
+      return data as APIToken[];
     },
   });
 
   const createMutation = useMutation({
-    mutationFn: async (name: string) => {
-      const response = await post("/auth/token", { name });
+    mutationFn: async (payload: { name: string; expiry: string }) => {
+      const response = await post("/auth/token", payload);
       const data = await response.json();
       return data;
     },
     onSuccess: (newToken) => {
       queryClient.invalidateQueries({ queryKey: ["tokens"] });
-      queryClient.refetchQueries({ queryKey: ["tokens"], exact: true });
       setShowNewToken(newToken);
       setNewTokenName("");
+      setSelectedExpiry("forever");
       toast({
         title: "Success",
         description: "Token created successfully",
@@ -66,7 +91,6 @@ export default function APITokensPage() {
     },
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["tokens"] });
-      queryClient.refetchQueries({ queryKey: ["tokens"], exact: true });
       toast({
         title: "Success",
         description: "Token deleted successfully",
@@ -81,50 +105,17 @@ export default function APITokensPage() {
     },
   });
 
-  const fetchTokens = useCallback(async () => {
-    try {
-      const response = await get("auth/token", { credentials: "include" });
-      const data = await response.json();
-      setTokens(data);
-    } catch (error) {
-      console.error("Error fetching tokens:", error);
-      toast({
-        title: "Error",
-        description: "Failed to fetch tokens",
-        variant: "destructive",
-      });
-    }
-  }, [toast, setTokens]);
-
   const handleCreateToken = async (e: React.FormEvent<HTMLFormElement>) => {
     e.preventDefault();
     if (!newTokenName.trim()) return;
-    createMutation.mutate(newTokenName);
+    createMutation.mutate({ name: newTokenName, expiry: selectedExpiry });
   };
 
   const handleDeleteToken = async (tokenId: string) => {
-    try {
-      await del("/auth/token/" + tokenId, { credentials: "include" });
-      setTokens(tokens.filter((token) => token.id !== tokenId));
-      toast({
-        title: "Success",
-        description: "Token deleted successfully",
-      });
-    } catch (error) {
-      console.error("Error deleting token:", error);
-      toast({
-        title: "Error",
-        description: "Failed to delete token",
-        variant: "destructive",
-      });
-    }
+    deleteMutation.mutate(tokenId);
   };
 
-  useEffect(() => {
-    void fetchTokens();
-  }, [fetchTokens]);
-
-  if (queryLoading) {
+  if (tokensLoading) {
     return (
       <div className="flex items-center justify-center min-h-[400px]">
         <Loader2 className="h-8 w-8 animate-spin" />
@@ -144,14 +135,42 @@ export default function APITokensPage() {
           <CardTitle>Create New Token</CardTitle>
         </CardHeader>
         <CardContent>
-          <form onSubmit={handleCreateToken} className="flex gap-4">
-            <Input
-              type="text"
-              value={newTokenName}
-              onChange={(e) => setNewTokenName(e.target.value)}
-              placeholder="Token name"
-              className="max-w-sm"
-            />
+          <form onSubmit={handleCreateToken} className="flex gap-4 items-end">
+            <div className="grid gap-2 flex-1 max-w-sm">
+              <label htmlFor="token-name" className="text-sm font-medium">
+                Token Name
+              </label>
+              <Input
+                id="token-name"
+                type="text"
+                value={newTokenName}
+                onChange={(e) => setNewTokenName(e.target.value)}
+                placeholder="Token name"
+              />
+            </div>
+            <div className="grid gap-2 w-[200px]">
+              <label htmlFor="expiry" className="text-sm font-medium">
+                Expiration
+              </label>
+              <Select
+                value={selectedExpiry}
+                onValueChange={setSelectedExpiry}
+              >
+                <SelectTrigger id="expiry">
+                  <SelectValue placeholder="Select expiry" />
+                </SelectTrigger>
+                <SelectContent>
+                  {expiryOptions?.map((opt) => (
+                    <SelectItem key={opt.slug} value={opt.slug}>
+                      {opt.name}
+                    </SelectItem>
+                  ))}
+                  {(!expiryOptions || expiryOptions.length === 0) && (
+                    <SelectItem value="forever">forever</SelectItem>
+                  )}
+                </SelectContent>
+              </Select>
+            </div>
             <Button
               type="submit"
               disabled={createMutation.isPending || !newTokenName.trim()}
@@ -201,17 +220,29 @@ export default function APITokensPage() {
           <Card key={token.id}>
             <CardContent className="pt-6">
               <div className="flex items-center justify-between">
-                <div>
-                  <h3 className="text-lg font-medium">{token.name}</h3>
-                  <div className="text-sm text-muted-foreground space-y-1">
-                    <p>
+                <div className="grid grid-cols-1 md:grid-cols-3 gap-4 flex-1">
+                  <div>
+                    <h3 className="text-lg font-medium">{token.name}</h3>
+                    <p className="text-xs text-muted-foreground">
                       Created: {new Date(token.created_at).toLocaleDateString()}
                     </p>
+                  </div>
+                  <div className="flex flex-col justify-center">
+                    <p className="text-sm font-medium">Expires</p>
+                    <p className="text-xs text-muted-foreground">
+                      {token.expires_at
+                        ? new Date(token.expires_at).toLocaleDateString()
+                        : "Never"}
+                    </p>
+                  </div>
+                  <div className="flex flex-col justify-center">
                     {token.last_used_at && (
-                      <p>
-                        Last used:{" "}
-                        {new Date(token.last_used_at).toLocaleDateString()}
-                      </p>
+                      <>
+                        <p className="text-sm font-medium">Last used</p>
+                        <p className="text-xs text-muted-foreground">
+                          {new Date(token.last_used_at).toLocaleDateString()}
+                        </p>
+                      </>
                     )}
                   </div>
                 </div>
diff --git a/scripts/restore_database.py b/scripts/restore_database.py
index 84d78b57..d36f98e7 100755
--- a/scripts/restore_database.py
+++ b/scripts/restore_database.py
@@ -120,9 +120,7 @@ def get_db_config():
     # `--dbname`. The password flows through PGPASSWORD instead.
     safe_netloc = _strip_password_from_netloc(parsed)
     safe_url = urlunparse(parsed._replace(netloc=safe_netloc))
-    maintenance_url = urlunparse(
-        parsed._replace(netloc=safe_netloc, path="/postgres")
-    )
+    maintenance_url = urlunparse(parsed._replace(netloc=safe_netloc, path="/postgres"))
     return {
         "url": safe_url,
         "maintenance_url": maintenance_url,
@@ -153,7 +151,9 @@ def check_required_tools():
     """Verify all required postgres client tools are on PATH."""
     missing = [t for t in REQUIRED_TOOLS if shutil.which(t) is None]
     if missing:
-        print(f"Error: Required postgres client tool(s) not found: {', '.join(missing)}")
+        print(
+            f"Error: Required postgres client tool(s) not found: {', '.join(missing)}"
+        )
         print("  This script must run in an environment with postgres client tools")
         print("  installed (e.g. the Lagoon `cli` container).")
         sys.exit(1)
@@ -211,8 +211,10 @@ def backup_current_database(config, backup_path):
     cmd = [
         "pg_dump",
         "--format=custom",
-        "--file", backup_path,
-        "--dbname", config["url"],
+        "--file",
+        backup_path,
+        "--dbname",
+        config["url"],
     ]
     try:
         run_pg_tool(cmd, config)
@@ -222,7 +224,10 @@ def backup_current_database(config, backup_path):
             os.unlink(backup_path)
         except OSError as cleanup_err:
             # Best-effort cleanup only: preserve original pg_dump failure path.
-            print(f"  Warning: could not remove partial backup file: {cleanup_err}", file=sys.stderr)
+            print(
+                f"  Warning: could not remove partial backup file: {cleanup_err}",
+                file=sys.stderr,
+            )
         raise SystemExit(f"  pg_dump failed: {sanitize(e.stderr or e, config)}")
 
     size_mb = os.path.getsize(backup_path) / (1024 * 1024)
@@ -347,7 +352,8 @@ def apply_restore(config, dump_dir):
         # Connect to the maintenance DB so pg_restore can drop/create the
         # target. `maintenance_url` carries every libpq param from the
         # configured DATABASE_URL (sslmode, connect_timeout, etc.).
-        "--dbname", config["maintenance_url"],
+        "--dbname",
+        config["maintenance_url"],
         dump_dir,
     ]
     try:
@@ -359,7 +365,7 @@ def apply_restore(config, dump_dir):
             "restored. Recover from the safety backup with:\n"
             "    pg_restore --clean --create --if-exists --no-owner "
             "--no-privileges \\\n"
-            "      -d \"<maintenance DATABASE_URL, path=/postgres>\" "
+            '      -d "<maintenance DATABASE_URL, path=/postgres>" '
             "<safety_backup>.dump"
         )
 
@@ -371,7 +377,9 @@ def check_disk_space(path, required_mb=500):
     stat = os.statvfs(path)
     available_mb = (stat.f_bavail * stat.f_frsize) / (1024 * 1024)
     if available_mb < required_mb:
-        print(f"  Warning: Only {available_mb:.0f}MB available at {path} (recommend >= {required_mb}MB)")
+        print(
+            f"  Warning: Only {available_mb:.0f}MB available at {path} (recommend >= {required_mb}MB)"
+        )
         return False
     return True
 
@@ -405,7 +413,8 @@ def main():
         help="Directory to extract the backup into (default: system temp directory)",
     )
     parser.add_argument(
-        "--yes", "-y",
+        "--yes",
+        "-y",
         action="store_true",
         help="Skip confirmation prompt",
     )
@@ -463,7 +472,9 @@ def main():
             print("A safety backup of the current database will be created first.")
         else:
             print("No safety backup will be created (--no-backup specified).")
-        response = input("\nAre you sure you want to proceed? [yes/no]: ").strip().lower()
+        response = (
+            input("\nAre you sure you want to proceed? [yes/no]: ").strip().lower()
+        )
         if response not in ("yes", "y"):
             print("Aborted.")
             sys.exit(0)
@@ -475,7 +486,9 @@ def main():
         # Step 1: Backup current database (unless skipped)
         if not args.no_backup:
             print("\n[1/3] Backing up current database...")
-            backup_dir = args.backup_dir or os.path.dirname(os.path.abspath(args.backup_file))
+            backup_dir = args.backup_dir or os.path.dirname(
+                os.path.abspath(args.backup_file)
+            )
             os.makedirs(backup_dir, exist_ok=True)
             safety_backup_path = os.path.join(
                 backup_dir, f"{config['database']}_pre_restore.dump"
@@ -494,10 +507,14 @@ def main():
             except SystemExit as exc:
                 print(f"  {exc}", file=sys.stderr)
                 if args.yes:
-                    print("  Error: Cannot proceed without safety backup in non-interactive mode.")
+                    print(
+                        "  Error: Cannot proceed without safety backup in non-interactive mode."
+                    )
                     print("  Use --no-backup to explicitly skip the safety backup.")
                     sys.exit(1)
-                response = input("  Continue without backup? [yes/no]: ").strip().lower()
+                response = (
+                    input("  Continue without backup? [yes/no]: ").strip().lower()
+                )
                 if response not in ("yes", "y"):
                     print("Aborted.")
                     sys.exit(0)
@@ -510,7 +527,9 @@ def main():
         os.makedirs(extract_dir, exist_ok=True)
         dump_dir = extract_backup(args.backup_file, extract_dir)
         dump_contents = os.listdir(dump_dir)
-        dat_count = sum(1 for f in dump_contents if f.endswith(".dat") and f != "toc.dat")
+        dat_count = sum(
+            1 for f in dump_contents if f.endswith(".dat") and f != "toc.dat"
+        )
         print(f"  Dump directory: {dump_dir}")
         print(f"  Found: toc.dat + {dat_count} data files")
 
diff --git a/tests/conftest.py b/tests/conftest.py
index 0e5dd1bb..c8e2ee23 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -10,6 +10,7 @@
 from app.main import app
 from app.db.database import get_db
 from app.db.models import Base, DBRegion, DBUser, DBTeam, DBProduct, DBTeamRegion
+from app.db.init_db import init_api_token_expiry_options
 from app.core.security import get_password_hash
 from datetime import datetime, UTC, timedelta
 from unittest.mock import patch, MagicMock, Mock, AsyncMock
@@ -33,6 +34,10 @@ def db():
 
     # Create a new session for the test
     db = TestingSessionLocal()
+
+    # Initialize default data
+    init_api_token_expiry_options(db=db)
+
     try:
         yield db
     finally:
diff --git a/tests/test_api_token_expiry.py b/tests/test_api_token_expiry.py
new file mode 100644
index 00000000..64ab9dad
--- /dev/null
+++ b/tests/test_api_token_expiry.py
@@ -0,0 +1,147 @@
+import pytest
+from datetime import datetime, timedelta, UTC
+from app.db.models import DBAPIToken
+import app.db.init_db as init_db
+
+
+class _SessionProxy:
+    """Proxy that delegates to the test session but suppresses close() calls."""
+
+    def __init__(self, session):
+        self._session = session
+
+    def __getattr__(self, name):
+        return getattr(self._session, name)
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, exc_type, exc, tb):
+        return False
+
+    def close(self):
+        # Keep the pytest-managed session alive for the duration of the test.
+        return None
+
+
+@pytest.fixture(autouse=True)
+def seed_expiry_options(db, monkeypatch):
+    session_proxy = _SessionProxy(db)
+    monkeypatch.setattr(init_db, "SessionLocal", lambda: session_proxy)
+    init_db.init_api_token_expiry_options()
+
+
+def test_list_expiry_options(client, test_token):
+    """Test listing expiry options"""
+    response = client.get(
+        "/auth/token/expiry-options",
+        headers={"Authorization": f"Bearer {test_token}"},
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert isinstance(data, list)
+    assert len(data) >= 15
+
+    slugs = [opt["slug"] for opt in data]
+    assert "1_day" in slugs
+    assert "forever" in slugs
+
+
+def test_create_token_with_expiry(client, test_token, test_user, db):
+    """Test creating a token with specific expiry options from DB"""
+    # Get options from API
+    response = client.get(
+        "/auth/token/expiry-options",
+        headers={"Authorization": f"Bearer {test_token}"},
+    )
+    assert response.status_code == 200
+    options = response.json()
+    assert isinstance(options, list)
+
+    # Test a few specific ones
+    test_cases = {"1_day": 1, "1_week": 7, "1_month": 30, "1_year": 365}
+    option_slugs = [opt["slug"] for opt in options]
+    for slug in test_cases:
+        assert slug in option_slugs
+
+    for slug, days in test_cases.items():
+        response = client.post(
+            "/auth/token",
+            headers={"Authorization": f"Bearer {test_token}"},
+            json={"name": f"Test {slug}", "expiry": slug},
+        )
+
+        assert response.status_code == 200
+        data = response.json()
+        assert data["expiry_option"] == slug
+        assert data["expires_at"] is not None
+
+        # Verify calculated date is roughly correct (within a few seconds)
+        expires_at = datetime.fromisoformat(data["expires_at"].replace("Z", "+00:00"))
+        expected_expiry = datetime.now(UTC) + timedelta(days=days)
+        assert abs((expires_at - expected_expiry).total_seconds()) < 5
+
+
+def test_create_token_forever(client, test_token, test_user):
+    """Test creating a token with 'forever' expiry"""
+    response = client.post(
+        "/auth/token",
+        headers={"Authorization": f"Bearer {test_token}"},
+        json={"name": "Forever Token", "expiry": "forever"},
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert data["expiry_option"] == "forever"
+    assert data["expires_at"] is None
+
+
+def test_expired_token_access(client, test_user, db):
+    """Test that an expired token cannot be used"""
+    # Create an already expired token manually in DB
+    expired_at = datetime.now(UTC) - timedelta(hours=1)
+    db_token = DBAPIToken(
+        name="Expired Token",
+        token="expired-token-123",
+        user_id=test_user.id,
+        expires_at=expired_at,
+        expiry_option="1_day",
+    )
+    db.add(db_token)
+    db.commit()
+
+    # Try to use the expired token
+    response = client.get(
+        "/auth/token", headers={"Authorization": "Bearer expired-token-123"}
+    )
+
+    assert response.status_code == 401
+    assert "API token has expired" in response.json()["detail"]
+
+
+def test_valid_token_access(client, test_user, db):
+    """Test that a valid (not yet expired) token can be used"""
+    # Create a token that expires in the future
+    expires_at = datetime.now(UTC) + timedelta(days=1)
+    db_token = DBAPIToken(
+        name="Valid Token",
+        token="valid-token-123",
+        user_id=test_user.id,
+        expires_at=expires_at,
+        expiry_option="1_day",
+    )
+    db.add(db_token)
+    db.commit()
+
+    # Try to use the valid token
+    response = client.get(
+        "/auth/token", headers={"Authorization": "Bearer valid-token-123"}
+    )
+
+    assert response.status_code == 200
+
+    # Verify last_used_at was updated
+    db.refresh(db_token)
+    assert db_token.last_used_at is not None
+    assert abs((db_token.last_used_at - datetime.now(UTC)).total_seconds()) < 5